Underwriters Labs refuses to share new IoT cybersecurity standard

"Too many unhealthy products will pass the bare-minimum certification process."

UL, the 122-year-old safety standards organisation whose various marks (UL, ENEC, etc.) certify minimum safety standards in fields as diverse as electrical wiring, cleaning products, and even dietary supplements, is now tackling the cybersecurity of Internet of Things (IoT) devices with its new UL 2900 certification. But there's a problem: UL's refusal to freely share the text of the new standard with security researchers leaves some experts wondering if UL knows what they're doing.

When Ars requested a copy of the UL 2900 docs to take a closer look at the standard, UL (formerly known as Underwriters Laboratories) declined, indicating that if we wished to purchase a copy—retail price, around £600/$800 for the full set—we were welcome to do so. Independent security researchers are also, we must assume, welcome to become UL retail customers.

"It's very concerning," Brian Knopf of I Am The Cavalry, a group of security researchers focused on public safety issues, told Ars. "Without transparency, the research community cannot help improve or audit the standards." As Ars has previously reported, Knopf is leading an effort to develop a five-star cybersecurity rating system for IoT devices.

Ken Modeste, UL's chief of cybersecurity technical services, defended the company's position. “Our whole mission is public safety,” he told Ars. “We’ve been here since 1894. We want to help industry and the public to choose safe products.”

Modeste pointed out that UL has been involved in the cybersecurity space for a decade, and employs around 600 staff focused on financial cybersecurity--certifying point-of-sale (POS) terminals, PCI compliance, and so forth. That, he said, led to talks with the US Department of Homeland Security (DHS) and other US government agencies to develop the technical specifications for UL 2900. “UL is probably one of the best organisations engaged in cybersecurity,” he added.

Modeste did not acknowledge that the lack of a freely available standard was even a problem, pointing out that numerous government and industry stakeholders have seen the standard and contributed to its development, and that UL charges rates comparable to organisations like the IEEE or IEC.

Instead, he emphasised that UL’s goal is to provide “the ability for a vendor to have some repeatable and reproducible way to evaluate their product to ensure it meets some minimum requirements.”

Mudge weighs in

That goal may be of even greater concern than their lack of transparency, according to Peiter “Mudge” Zatko, the former head of cybersecurity research at DARPA who is now building the Cyber Independent Testing Laboratory (CITL), a US Air Force-funded “Consumer Security Reports” for IoT devices.

Mudge told Ars he has evaluated over 100,000 pieces of software, many of them IoT devices, and based on that work he prefers a "nutritional label" or "Monroney Sticker" model that isn't pass/fail, but rather offers more fine-grained detail. The Monroney Sticker is the window label, required for all new cars sold in the US, that provides consumers with information such as fuel efficiency, smog emissions, and most importantly safety ratings.

"Too many unhealthy products will pass the bare-minimum certification process," Mudge said, "and the result is that users will [conclude] they are 'healthy' (when they are unhealthy).”

He was also critical of UL’s business model. "[UL] are a for-profit organisation," he wrote. "I worry about that as it creates [a] perverse incentive structure. Empowering the consumer is not where they derive their value/profit, and that goal can become masked or forgotten in the pursuit of profit."